Accounts & sign-in
Invites, two-factor authentication, recovery codes, password reset, and sessions.
Invite-only sign-up
After the first admin exists, new accounts arrive only by invitation. An admin sends an invite (email + role); the invitee follows a one-time link to finish sign-up and gets the invited role. Invites expire, and the invite link is stored hashed, so a database dump never reveals a usable link.
There's no public sign-up form. The only people with accounts are the people you invited.
Two-factor authentication (TOTP)
Two-factor uses a standard time-based one-time password (TOTP) from any authenticator app. Set it up under Account → Security:
- Confirm your password.
- Scan the QR code (or copy the secret) into your authenticator.
- Save your recovery codes (download or copy). They're shown once.
- Enter a current code to turn on two-factor.
Recovery codes are not optional
Each recovery code works once if you lose your authenticator. Save them somewhere safe the moment they appear — they're not shown again. Both the TOTP secret and the codes are encrypted at rest.
Password reset
If SMTP is configured, a password reset arrives as a time-limited email link. Email is fine for reset because it isn't the sign-in path — your password + TOTP always work, mail or no mail. If email is down, an admin can re-invite you.
Sessions
Account → Sessions lists every active session — its device, address, and start time — with a Revoke action on each. Revoke the session you're using and you're signed out and sent to the login page; revoke another and it simply drops. Every revoke is recorded in the audit log.